On March 25, 2019, the Supreme Court denied Zappo’s petition for certiorari allowing a class action to proceed for a 2012 data breach even though consumers didn’t establish they were injured by the breach. This is a setback for companies hoping to limit their liability in data breach cases.
By way of background. On June 1, 2015, the District Court of Nevada dismissed for lack of standing the data breach putative class action against Zappos because the Plaintiffs did not allege they had suffered any harm. More here.
However, on appeal, the U.S. Court of Appeals for the Ninth Circuit found that an alleged “increased risk of future identity theft” sufficiently alleged Article III standing in a data breach putative class action and reversed the District Court’s judgment as to Plaintiffs’ standing. More here.
When denying Zappo’s petition for certiorari, the Supreme Court didn’t give a reason for its decision to leave the Ninth Circuit’s ruling in place.
Zappo’s had argued to the Supreme Court that “The stakes implicated here are substantial. As this case lays bare, most data breaches affect thousands if not millions of individuals and thus beget sprawling class actions. If companies are forced to spend time and money defending such suits even without “a concrete factual context conducive to a realistic appreciation of the consequences of judicial action,” (…) then the costs of such victimless suits will be a substantial drag on innovative companies no matter what they do to ensure that nearly inevitable hacking is addressed promptly and does not result in actual injuries. Insisting on actual injury, by contrast, gets the incentives right. Companies will have every incentive to invest in protecting data and responding quickly to prevent both injuries and lawsuits, neither of which should be inevitable.”
The case Zappos.com v. Stevens, 18-225, is available at https://www.scotusblog.com…
More on standing in data breach putative class actions is available at http://www.technethics.com… . Also of interest Data breach class actions cases in 2013, 2014, and 2015: the problem of “standing”
For more information on how privacy to implement privacy policies in your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.